[ https://issues.jboss.org/browse/TEIID-3618?page=com.atlassian.jira.plugin... ] Ramesh Reddy commented on TEIID-3618: ------------------------------------- More helpful links https://developer.salesforce.com/blogs/developer-relations/2011/03/oauth-... https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_oauth_jwt_... http://salesforce.stackexchange.com/questions/31904/how-and-when-does-a-s... http://salesforce.stackexchange.com/questions/30596/oauth-2-0-jwt-bearer-... http://salesforce.stackexchange.com/questions/88396/invalid-assertion-err... *OAuth Refresh Token Steps* 1) create connected app (may need to setup custom domain) 2) add profile and/or permissions set to the connected app 3) grab the "callback url" ( one need to set as https://localhost:443/_callback" 4) Run through the teiid-oauth-util.sh in "<eap>/bin" directory, use client_id, client_pass, and call back from connected app 5) use "https://login.salesforce.com/services/oauth2/authorize" authorize link 6) use "https://login.salesforce.com/services/oauth2/token" for access token url 7) the you get a refresh token from it 8) create a security-domain like {code} <security-domain name="oauth2-security"> <authentication> <login-module code="org.teiid.jboss.oauth.OAuth20LoginModule" flag="required" module="org.jboss.teiid.security"> <module-option name="client-id" value="xxxx"/> <module-option name="client-secret" value="xxxx"/> <module-option name="refresh-token" value="xxxx"/> <module-option name="access-token-uri" value="https://login.salesforce.com/services/oauth2/token"/> </login-module> </authentication> </security-domain> {code} *JWT based Steps* 1) Create a Self-Signed certificate locally or on Sales Force. (user->setup->security-controls->Certificate and Key Management) 2) Download the certificate and also put in keystore and download keystore. Keystore is needed for Teiid, certificate for the salesforce setup 3) Create connected app and select OAuth, and select all the scopes (some posts say refresh-token offline is must) 4) create a profile and/or permission set assign to the connected app. I believe before you can create a connected app you need to set up custom domain 5) When you creating connected app make sure you add the certificate in "Digital Certificate" 6) Now in Teiid create security-domain like {code} <security-domain name="oauth2-jwt-security"> <authentication> <login-module code="org.teiid.jboss.oauth.JWTBearerTokenLoginModule" flag="required" module="org.jboss.teiid.security"> <module-option name="client-id" value="xxxxx"/> <module-option name="client-secret" value="xxxx"/> <module-option name="access-token-uri" value="https://login.salesforce.com/services/oauth2/token"/> <module-option name="jwt-audience" value="https://login.salesforce.com"/> <module-option name="jwt-subject" value=&quot;your(a)sf-login.com&quot;/&gt; <module-option name="keystore-type" value="JKS"/> <module-option name="keystore-password" value="changeme"/> <module-option name="keystore-url" value="${jboss.server.config.dir}/salesforce.jks"/> <module-option name="certificate-alias" value="teiidtest"/> <module-option name="signature-algorithm-name" value="SHA256withRSA"/> </login-module> </authentication> </security-domain> {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)